Version: 7.0

Browser local storage

Passwork allows saving the master key in the browser to avoid entering the master password on each login. Local Storage Secret Code — a server-generated token — is used for protection.

Important

The saved master key is protected by a token that is only issued upon successful basic authentication. Without account access, it is impossible to decrypt data from localStorage.

Local Storage Secret Code

What it is

Local Storage Secret Code is a random token that:

Is generated by the server when a user is created
Is issued to the client after successful authentication
Is used to encrypt the master key in localStorage

Characteristics

Parameter	Web application	Browser extension
Length	100 characters	60 characters
Alphabet	A-Z, a-z, 0-9	A-Z, a-z, 0-9
Entropy	~596 bits	~357 bits
Generation	On server	On server
Token storage	On server	On server

Lifecycle

Creation — when user is registered, server generates Secret Code
Issuance — with each successful authentication, server sends Secret Code to client
Usage — client encrypts master key and saves to localStorage
Rotation — Secret Code can be regenerated by administrator

Master key saving process

Saving sequence:

User enables "Remember master password" option
User enters master password
Client computes master key (PBKDF2, 300,000 iterations, SHA-256)
Client sends master key hash to server for verification
Server confirms correctness and returns Local Storage Secret Code
Client encrypts master key with Secret Code (AES-256-CBC)
Encrypted master key is saved to localStorage
Secret Code is not saved to localStorage

Encryption algorithm

Parameter	Value
Algorithm	AES-256-CBC
Padding	PKCS#7
Key	Local Storage Secret Code (100 characters → 256 bits)
IV	Automatically generated (128 bits)

What is saved in localStorage

Data	Format	Protection
Encrypted master key	Base64 string	AES-256-CBC
User ID	String	—
Application settings	JSON	—

What is NOT saved

Master password (never)
Local Storage Secret Code (issued with each authentication)
Unencrypted master key
Private RSA key

Master key recovery process

Automatic login sequence:

User opens the application
Client checks for encrypted master key in localStorage
If key exists — client remembers it for subsequent decryption
User completes basic authentication (login/password)
Server verifies credentials
Server returns access tokens and Local Storage Secret Code
Client decrypts master key with Secret Code (AES-256-CBC)
Master key is recovered — master password entry not required

Automatic master key recovery is possible if:

Condition	Description
Key presence	localStorage contains encrypted master key
Authentication	User completed basic authentication
Valid Secret Code	Server returned correct Secret Code
Successful decryption	Data is not corrupted

Security model

Threat protection

Threat	Protection
localStorage theft	Data is encrypted, encryption key is on server
XSS attack	Secret Code is not stored on client
Session theft	Basic authentication required
Physical device access	Account password required

Key principle

Without successful server authentication, decrypting the master key is impossible.

Even if an attacker:

Gains access to localStorage
Extracts the encrypted master key
Gains access to the device filesystem

They cannot decrypt the data without:

Account password (or SSO/LDAP access)
Successful server authentication
Obtaining Secret Code from server

Limitations

Scenario	Risk
Shared device	Another user may gain access after their authentication
Browser sync	Encrypted key syncs between devices
Server compromise	Attacker could obtain Secret Code

Managing saved data

Disabling the feature

User can:

Uncheck "Remember master password" in settings
Data will be deleted from localStorage

Forced reset

Administrator can:

Regenerate user's Secret Code
All saved master keys become invalid
User will need to enter master password again

Logout

On logout:

Session tokens are deleted
Encrypted master key may remain in localStorage (for next login)
User can optionally choose "Logout and forget"

Security recommendations

When to use "Remember"

Recommended:

On personal device with password/biometrics
For daily Passwork use
When convenience matters and device is protected

Not recommended:

On shared/public devices
With strict security requirements
If device may be lost/stolen

Organizational policies

Administrator can:

Disable "Remember" feature at policy level
Limit saved key validity period
Require periodic master password re-entry

Memory protection

In-memory obfuscation

Besides localStorage encryption, Passwork uses a mechanism to protect passwords in browser memory:

Method	Description
Splitting	Password is split into random parts
Obfuscation	Each part is obfuscated (character shifting)
Shuffling	Parts are stored in random order
Recovery	Recovery order is stored separately

Limitation

This is obfuscation, not cryptographic protection. It hinders simple memory reading (e.g., in dumps) but doesn't protect against targeted attacks with a debugger.

Browser extension differences

Browser extension has implementation differences:

Parameter	Web application	Extension
Secret Code length	100 characters (~596 bits)	60 characters (~357 bits)
Storage	localStorage	chrome.storage.local
Isolation	Shared domain	Isolated extension
XSS protection	Depends on CSP	Full isolation

Extension advantages

Isolated storage — inaccessible from web pages
Separate execution context — protection from malicious scripts
XSS protection — visited sites cannot access extension data

LLM version

Local Storage Secret Code​

What it is​

Characteristics​

Lifecycle​

Master key saving process​

Encryption algorithm​

What is saved in localStorage​

Master key recovery process​

Automatic login conditions​

Security model​

Threat protection​

Key principle​

Limitations​

Managing saved data​

Disabling the feature​

Forced reset​

Logout​

Security recommendations​

When to use "Remember"​

Organizational policies​

Memory protection​

In-memory obfuscation​

Browser extension differences​

Extension advantages​